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Abstract. We give a new construction of nonlinear error-correcting 
codes over suitable finite fields k from the geometry of modular 
curves with many rational points over k, combining two recent im- 
provements on Goppa's construction. The resulting codes are asymp- 
totically the best currently known. 



1. Introduction. 

1.1 Review of Goppa's construction. Fix a finite field k of q = p a elements. 
Let C be a (projective, smooth, irreducible) algebraic curve of genus g defined 
over fc, with N rational points. It is known that 

N < (q 1 / 2 - 1 + o(l))g (1) 

as g — > oo (Drinfcld-Vladu^ pQ). We say a curve of genus g — * oo is "asymptoti- 
cally optimal" if it has at least (q 1 ^ 2 — 1 — o(l)) g rational points over k. If a is 
even (that is, if qo '■— \fq is an integer), then modular curves of various flavors 
— classical (elliptic), Shimura, or Drinfcld — attain 

N>( qo -l)(g-l) = (q^ 2 -l-o(l))g (2) 

^3 EH j an d are thus asymptotically optimal. 

Let D be a divisor on C of degree < N. Goppa ([S], see also ^5]) regards the 
space C(D) of sections of D as a linear code in k , whose dimension r and 
minimal distance d satisfy r > deg(£>) — g + 1 (by the Riemann-Roch theorem) 
and d > N-deg(D) (because a nonzero section of D has at most deg(D) zeros). 
Thus the transmission rate R — r/N and the error-detection rate S = d/N of 
Goppa's codes are related by 

R+8>l-j;. (3) 

This lower bound improves as N/g increases. For q = q$, we may take C 
asymptotically optimal, and find 

R + 5>1 : l —- (l) (4) 

for an infinite family of linear codes over fc, which is the best that can be obtained 
from J2Jl. 
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Let us say that (Rq, 5q) is asymptotically feasible if Ro, So are positive and there 
exist arbitrarily long codes over k, linear or not, with 1 R > R and S > So- 
Then Goppa's construction yields the asymptotic feasibility of (R ,So) for any 
positive R , S such that R + So < 1 — (1/(90 — !))■ This is true because deg(-D) 
is an arbitrary integer in (0, N), and nontrivial (in the sense that such (Ro, So) 
exist) once qo > 2. 

By comparison, a random code or random linear code of length TV — > 00 and rate 
R has error-detection rate at least S — o(l) with probability 1 — o(l) provided 
S < (q — l)/q and R + H q (5) < 1, where H q is the normalized entropy function 



H q (5) 51og 9 (q-l)-<51og 9( 5-(l-<5)log g (l-5) (5) 

1 



SlogJ(q-l)?—^)-log(l-S) Mil 



= lim iV _:L log ( CAr 

Therefore if < S Q < (q - l)/q and < Ro < 1 - H q (S ) then (i? , <5 ) is 
asymptotically feasible. This is the Gilbert-Varshamov bound. 

Once go > 7, Goppa's construction yields asymptotically feasible (Rq,So) be- 
yond the Gilbert-Varshamov bound. This was the first construction to improve 
on Gilbert-Varshamov in this sense, and it remains the only such construction 
that yields linear codes. 

1.2 Beyond Goppa. For about 20 years Goppa's technique remained the best 
construction of codes over an alphabet of size q^ > 49 beyond the Gilbert- 
Varshamov bound. Refinements concerned only algorithmic improvements, for 
exhibiting suitable curves C (see [2] for classical and Shimura curves, |3| for 
further Shimura curves, and [51 17111*11X2*] for Drinfeld modular curves) and using 
the resulting codes for error-resistant communication (polynomial-time encoding 
and decoding, see I n 03 > 2 we use d rational functions on C to construct 

algebraic-geometry codes over the (q + l)-letter alphabet P 1 (k) = k U {00}, and 
gave asymptotic estimates on their parameters R, S. We argued in [5] that these 
codes improve on Goppa's in a range of parameters that includes all the Goppa 
codes that improve on Gilbert-Varshamov; but our comparison was necessarily 
indirect due to the different alphabet sizes. 

Even more recently, Xing |14j gave a new construction of nonlinear algebraic- 
geometry codes over k. Like Goppa, Xing uses sections of line bundles, but he 
cleverly exploits the sections' derivatives to find codes with better asymptotic 
parameters than Goppa's. The Xing codes have 

R + S > 1 - ^ + £ log, + ^i) - o(l), (7) 



1 As usual, the rate of a nonlinear code C C k n is defined by R = N -1 log IJ (#C), which 
equals r/N when C is linear. 

2 While was the first publication, we obtained these results in the mid-1990's and in- 
cluded them in several conference and seminar talks starting in 1996. 
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which improves on Q by 



co / _ 1 \ 1 

: = E lo g 9 (i + V) = i^ ( ^ 3 " 9-4 + 0(9_B)) - (8) 

In particular, this is the first construction of algebraic-geometry codes over a 
4-letter alphabet with R, S both bounded away from zero. (Our codes over P 1 (fc) 
attained this for an alphabet of 5 letters.) Xing's construction does not require 
that q = Qq, and yields an improvement of c q over the Goppa bound (J3J) for 
all q. 

In this paper we obtain a further improvement, at least for q — qfi, by applying 
Xing's technique to our codes of While those codes used an alphabet of 
q+ 1 letters, our new codes ^£)(/i) use the g-letter alphabet k, and can thus be 
compared directly with Goppa's and Xing's codes. We find that when q = q$ 
our ^dQi) have parameters that improve on Xing's, replacing the sum (jSJ) by 

l0 ^( 1 + ?)=i4^ 3 -°^- (9) 

We conclude that (Rq, So) is asymptotically feasible for any positive Rq, Sq such 
that 

Ro + S < 1 l — + log, ( 1 + 4 J- (10) 

This also gives further support to our claim that the codes of 5 improve on 
Goppa's. Xing's refinement applies to both constructions and yields nonlinear 
codes over the same alphabet, making possible a direct comparison in which the 
codes of |Hj come out ahead. 

Like the codes of jS] and (probably) ^3], and unlike Goppa codes, our new codes 
^d(/i) are still very far from any practical use: it is not even clear that one can 
efficiently encode integers in [1, (#'%)(/i)) 1_0 ^ 1 '] or recognize whether a given 
word in k N is in that code, let alone solve the error-correcting problem. 

The rest of this paper is organized as follows. We first review the nonlinear 
algebraic-geometry codes C m , Cr>(/i) of We then combine these two con- 

structions, and show that our new codes %>(/i) attain the claimed improvement 
over Xing's codes. 

This work is supported in part by the National Science Foundation (grant DMS- 
0200687). 

2. Two variations on a theme of Goppa 

2.1 Xing: nonlinear codes from derivatives of sections. Let C be a 

(projective, smooth, irreducible) algebraic curve of genus g defined over k, with 
N rational points Pi, ... , Pn- For each j = 1, . . . , N, choose a local uniformizing 
parameter tj at Pj, that is, a rational function on C vanishing to order 1 at Pj. 
(Different choices of tj will yield isomorphic codes.) For any rational function 
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/ G k(C), let /j 1 *-* (r = 0, 1, 2, . . .) be the tj coefficient of its expansion in powers 
of tj; that is, = f(Pj), and /j 1 ', fj, fj, . . . are chosen inductively so that 

tj m (f - £ <r<m 4 r) ^) iS re § Ular at P i fOT aU m - 

Let D be a divisor on C. As in ^1] , we simplify the exposition by assuming that 
the support of D is disjoint from C(k) — {Pi, . . . , Pn}- (Little is lost by this 
assumption, because any divisor on C is linearly equivalent to one satisfying the 
disjointness condition, and linearly equivalent divisors yield equivalent codes.) 
Note that we do not assume that deg(D) < N , and indeed we shall use divisors of 
degree considerably larger than N. We denote by C(D) the vector space of global 
sections of D. For any distinct /, /' G £(£)), the difference f — f has a total 
of deg(D) zeros in C(k), counted with multiplicity. Goppa's construction does 
not exploit multiplicity, using only the corollary that f(Pj) = f'(Pj) holds for 
at most deg(D) values of j. Multiple zeros are the key to Xing's improvement. 

For r > define r : £(£>) -> k N by 

Mf) = (fi r) ,ft ) ,---,f i N ) )- (ii) 

Recall that the Hamming distance d(-, •) on k N is defined by 

d(c,c'):=#{je{l,2,...,N}\c j ^c' j }. (12) 

For each positive integer m, Xing defines a code C m as follows. For r — 
0, 1, . . . , m — 1, fix positive real numbers a r < (q — l)/q, which will be specified 
later to optimize C m . Choose c r G k N to maximize the size of 

M m ■= {/ e C{D) | d(cr,<f> r (f)) < a r N for each r = 0, 1, . . . , m - l}, (13) 

and define 

C m := <f>m(M m ). (14) 

As (co, . . . , Cm-i) varies over all q mN possible choices, the average size of M m 
equals q~ mN #(£(D)) times the product of the sizes of closed Hamming balls of 
radius aoN, o\ N, . . . , er m _i7V. The maximal M. m is therefore at least as large, 
so 

#M m > q (H -° (1))N #(£(D)), (15) 
where the negative number H is given in terms of the entropy function JSJ) by 

rn— 1 

H=J2(H q (a r )-l). (16) 

j-=0 

Now let /, /' be distinct functions in Ai m , and for each r > let I r be the set 
of i G {1, . . . ,N} such that = /j (r) . If r < m then #/ r > (1 - 2a r )N, since 
TV — #I r is the distance between the words <fi r (f), <t>r{f) in the same Hamming 
ball of radius a r N . On the other hand, the total number of zeros of / — /' at 
Pi, . . . , P n , counted with multiplicity, is 
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LXJ /ft i 

E#( n ^) > E^n 1 --) 

rn / s \ 

> (m + l)JV-£ X)(JV-#Z r ) (17) 

s =0 \r=0 / 
rn 

= (m + l)N-^(m + l-r)(N -#I r ) 

m— 1 

> (m - 2 £ ( m + 1 — r)ay^ N + #I m - 

r=0 

Since this number may not exceed the degree of D, we deduce that 

m— 1 

#7 m < deg(D) - (m-2^(m + l- r)a r ^N. (18) 

r=0 

Define c?o , then, by 

m— 1 

do := (m + 1 - 2 ^ (m + 1 - r)oy) TV - deg(L>). (19) 

Then #/ m < N - d . That is, d((f> m (f), <j> m (f')) > d . Therefore C m has 
minimum distance at least do- Assume that deg(-D) is small enough that do > 0: 

m — 1 

deg(£>) < (m + 1- 2^ (m + 1- r)oy) N. (20) 

i-=0 

Then #/ m < N, that is, <fi m (f) ^ 4> m (f). Therefore 4> m is injective and 

if C m = HM m - 

It remains to optimize deg(D) and ay given S = do/N. By Riemann-Roch, 
C(D) is a fc-vector space of dimension at least deg(D) — g + 1, with equality if 
£) > 2g — 2 (which will be the case for all D that we use) . Combining this with 
(|19|) and the estimate (|15|) on #Ai m , we find 



EWr) - 2(to + 1 - r)a r ) - a(l). (21) 



r=0 



The left-hand side is a lower bound on R + S for the code C m . If we take all 
ay = 0, the right-hand side reduces to 1 — (g/N), and we recover the Goppa 
bound 121 — which is to be expected because in this case C m is equivalent to the 
Goppa code C(D — m J2i=i (Pj)) (this is most easily seen if we also choose each 
c r = 0). Since the derivative of H q (a) — 2 (to + 1 — r) at a = is +oo for any 
to, r, there must exist positive ay that improve on Goppa. By differentiating 
each term of the sum in (|21|) . Xing computed that the optimal choice is 

- r = ( ? -l)/( 9 2(m+l-r) + ? _ 1)) (22) 
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corresponding to oy/(l — ay) = q~ 2 ( m+1 ~ r \q—l). Using the equivalent formula 
Jfjjl for H q and taking i = m + 1 — r, the m-th term of 121|) is seen to equal 
log (1 + q~ 2l {q — 1)) at the optimal ay, whence the codes C m attain 

1 171+1 / — 1 \ 

r + s>i- — + J2 log, (l + j - (23) 

Taking m — > oo and q = q 2 recovers |J7J; without the hypothesis q = %, Xing's 
construction still improves on yj by adding c q to the lower bound on R + <5. 

2.2 Codes over P 1 (fc) from rational functions and sections. 

The codes we introduced in [5] use rational functions on C instead of the global 
sections that comprise Goppa's codes. Let D be a divisor of degree zero on C. 
For a nonnegative integer h, we define M D (h) to be the set of rational sections 
of degree < h of the line bundle L/j associated to D. That is, M£>(/i) C k(C) 
consists of the zero function together with the rational functions / on C whose 
divisor (/) is of the form E — D, where E is a divisor whose positive and 
negative parts each have degree at most h. For instance, Mo(h) is the set of 
rational functions of degree at most h. Here, as opposed to we do not assume 
that h < N/2, and indeed we shall use considerably larger h. 

To use these Mpi(h) for coding, we need an upper bound on the number of 
solutions, with multiplicity, of f(P) = f'(P) for distinct rational sections /, /' 
of Lrj, given the degrees of / and /'. We define this multiplicity as follows. For 
each P £ C(k) choose a rational function ip P whose divisor has the same order 
at P as D. (The definition will be clearly independent of the choice of <p P .) 
Then P is a solution of / = /' if the rational functions if P f and f P f have 
the same value, finite or infinite, at P. In the former case, the multiplicity is 
the valuation of {<fi P f) — {<Ppf) at P. In the latter case, the multiplicity is the 
valuation of (<p P f)~ 1 — (^pf)^ 1 at P. Of course if P is not a solution of / = /' 
then its multiplicity is zero. 

Proposition. Suppose f,f are distinct rational sections of Lp>, with degrees 
h,h'. For P £ C{k) let m(P) be the multiplicity of P as a solution of f = f. 
Then J2pec(k) m (P) = h + h'. 

Proof. For P £ C(k), if P is a pole of <p P f, let /j,(P) be the multiplicity of 
this pole, and otherwise set n(P) = 0; define fjf(P) likewise using <p P f. Then 
h + h! = J2pec(k)(p( p ) + M'( p ))- But we claim that m ( p ) ~ (m(-P) + M'(-P)) is 
the valuation at P of f P f — fpf ', considered also as a rational section of Lp>- 
This claim is immediate if neither ip p f nor <p P f has a pole at P; if just one 
of them has a pole there then <*p P f — f P f has a pole of the same order, which 
equals fi(P) + fi' (P) , while m(P) = 0; finally, if both <f P f 1 f P f have poles at P, 
then m(P) > 0, and the claim follows from the identity 

(<ppf'){<ppf) 

by taking valuations at P. This establishes our claim in all cases. But the sum 
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over P e C(k) of v P (<p P f — <p P f) vanishes, since J2pec(k) v p(f ~ /') = while 
Specffe) v pi L Pp) — deg(D) was also assumed to equal zero. Since 

]T up^p/ - <p P f) = ^(m(P) - ( M (P) + /*'(P))) - E m ( p ) ~( h + h ')> 
p p p 

this proves that m(P) = h + b! . □ 

Remark. This result is the analogue for rational sections of the fact that a 
nonzero element of C{D) has deg(D) zeros counted with multiplicity. It refines 
Proposition 1 of [H], where we showed only that / = /' has at most h + h' 
solutions not counting multiplicity. 

In particular, if 2h < N then the evaluation map 0o : MdQi) — > (P 1 ^))^ 
taking / to ((f P f)(Pi), ■ ■ ■ , ( ( /'p N /)(-P/v)) is injective, and its image is a code 
of length N over P 1 (fc) with minimal distance at least N — 2h. We call this code 
Cn(h). Note that it is 2h, rather than h, that plays the role analogous to the 
degree of the divisor on Goppa's construction; the notation h should suggest 
both the Zieight of a rational section of Ld and half of the degree of Goppa's 
divisor. 

We also need the size of this code. It turns out to be easier, though still far 
from trivial, to estimate not individual #Mc(/i) but the average of #Mc(ft) 
as D ranges over (representatives of) the Jacobian Jc, which is the group of 
equivalence classes of degree-zero divisors on C. We quote the following from 
Thm.l]: 3 

If C is asymptotically optimal (i.e., if C varies in a family of curves 
of genus g — > oo with N ~ (q 1 / 2 — 1)^ rational points) , and for each C 
we choose h with p — iiif(h/N) > q/(q 2 — 1), then the average over 
D e J c of #M D (h) is 



q + i 



N±o p (N) 



q 2h - 9 . (24) 



Hence there exist D for which Mo{h) has size at least Q24[l. which exceeds 
by a factor of ((g + l)/q) N ° p( ' JV ' ) the Riemann-Roch estimate on the size of 
C(D) when deg(D) = 2h. Note that we do not require that 2h < N. We 
shall use the result also for some h > N/2, in which case we cannot deduce a 
lower bound on Co{h) (and anyway we have no nontrivial lower bound on the 
minimal distance of Cd(/i)), but will be able to construct another code ^b(/i) 
by adapting Xing's technique. 

3 For individual codes, see |5] Thm.2], which gives the same estimate but only with a 
much higher threshold on p. Since we later use Xing's technique, which requires an averaging 
argument, we would gain little by citing here an estimate on #Mo(h) free of averaging. 
Therefore we do not invoke 5 Thm.2] in our present application. 
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3. New nonlinear codes over k 

We again regard the evaluation map 4>o on Mn(h) as the first of an infinite series 
0o, <j>ii 02, ■ ■ ■ that records not just the values but also the derivatives of rational 
sections of D at Pi, . . . ,Pjv- While (fio takes values in (P 1 (/c)) , the <j) r for 
r > take values in k ; this is why we construct codes with alphabet fc rather 
than P 1 (/c). We define (j>i,<j>2, ■ ■ ■ as follows. If (fp j f)(Pj) = oo then the j-th 
coordinate of <j) r (f) is the tj coefficient of the expansion of ((flp.f)^ 1 in powers 
of tj. Otherwise that coordinate is the tj coefficient of the expansion of <p P .f ■ 
In either case, Pj is a solution of / = /' of multiplicity m if and only if the 
j-th coordinates of <j> r (f), 4>r(f) coincide for < r < m but not for r = m. As 
in |14j. we could have dispensed with the ip P . by choosing a linearly equivalent 
D whose support is disjoint from {Pi, . . . , Pn}- 

Fix positive <tq < q/{q+ 1)- Choose Co G (P 1 (fc)) Af to maximize the size of 

~#n(h) := {/ G M D (h) \ d(c , Mf)) < ^o^}, (25) 

and define 

V D (h) fc(JK D {h)). (26) 

As Co varies over all (q + 1) N possible choices, the average size of ^o{h) equals 
(q + 1) _w #(^#d(/i)) times size of the closed Hamming ball of radius <jqN in 
(P 1 (fc)) . The maximal j&b(K) is therefore at least as large, so 

#Jt D (h) >(q+ l) ( ^ +l(CTo) " 1 " o(1))Ar #(Mz,(/ l )). (27) 

If moreover C is asymptotically optimal and h > pN for some p > q/(q — 1), 
then there exists D such that #(Mc(A)) is bounded below by l|24() . We then 
have 

#^ D (h) > q 2h s CX p[N(\og(q + l)H q+1 (a Q ) -logq - o p (l))]. (28) 

We next fix d > and show that if 

2h<(2- 4a )N - d (29) 

then cf>i is injective on ^£>(h) and its image ^d(/i) is a code of minimum 
distance at least do- We have seen that for any distinct /, /' G Md(Ii) the 
total multiplicity of solutions of / = /' is at most 2h. If /, /' £ ^#o(ft) then 
f(Pj) = f'(Pj) for at least N — 2<jqN values of j. For at least 

N~2a N-d(Mf),Mf)) 

of these, the j-th coordinates of <pi (/) and (j>\ (/') also coincide, so Pj is a solution 
of / = /' of multiplicity at least 2. Hence 

(2-4 ( T O )A r -rf(0i(/),0i(/')) <2h. 
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Therefore if holds then d((f>i(f),(f)i(f')) > d , which proves are claim that 
<pi maps ^o{h) injectively to a code of minimum distance > do. (This is of 
course a direct adaptation of the case m = 1 of Xing's argument, which is 
Theorem 1.2 and §11 of his paper 14 .) 

Finally we take do = SN, let 2h — (2 — 4<7o — 8 — an d optimize ao- 

Combining our results thus far, we have 

l ° gq * %n + £ > 1 - A + log q (q + 1) • H q+1 (a ) - 4a - o p (l). (30) 

If we took do = 0, we would again recover the Goppa bound QJ. 4 Since the 
derivative with respect to <jq of the bound l|30() is +oo, the optimal un must 
improve on |@} as was the case for Xing's construction. The resulting bound 
improves on Xing's because l|371)> involves the entropy function for an alphabet 
of q + 1 letters rather than q. Here we calculate that the optimal ao is 1/(<Z 3 + 1), 
corresponding to ao/(l — <tq) = q~ 3 . Substituting this into l|30|l we obtain 



-^T— ^S>l-^+]og q \l + ^j-o p (l). (31) 

With this choice of ao, the ratio 2h/N easily exceeds the threshold of 2q/(q 2 — 1) 
even for 5 = 1 as long as qo > 4. (We must in any event exclude q — 2 or 3, 
because for those q none of the methods described here could yield codes with 
positive i?, 5 even if asymptotically optimal curves were known.) 

We have therefore proved: 

Theorem. Let qo be a prime power, and k a finite field of q 2 elements. For all 
positive Ro, So satisfying IKJjl . and any No, there exist a curve C/k, a degree-zero 
divisor D on C, and a positive integer h, such that is a code whose length 

N, transmission rate R, and error- detection rate S = d/N satisfy N > No, 
R > Ro, and S > So- In particular, all positive (i?o,(5o) satisfying flUf) are 
asymptotically feasible. 

As noted already, this construction corresponds to the case m = 1 of Xing's 
codes. One can formulate such a construction for any m, but with worse 
results, because only ao increases, and the resulting improvement falls off as 
q~ 2m ~ 2 / log(g) when m grows. Can multiplicities of order > 2 be exploited to 
yield even better codes? 
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